Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.62' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 59.633179][ T6791] IPVS: ftp: loaded support on port[0] = 21 [ 59.961943][ T17] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 60.202020][ T17] usb 1-1: Using ep0 maxpacket: 8 [ 60.322020][ T17] usb 1-1: New USB device found, idVendor=0b95, idProduct=172a, bcdDevice=78.22 [ 60.331530][ T17] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 60.343370][ T17] usb 1-1: config 0 descriptor?? [ 60.601931][ T17] asix 1-1:0.0 (unnamed net_device) (uninitialized): Failed to read MAC address: 0 [ 60.623829][ T17] asix 1-1:0.0 eth1: register 'asix' at usb-dummy_hcd.0-1, ASIX AX88172A USB 2.0 Ethernet, b6:9c:61:7b:25:6e [ 60.807162][ T17] usb 1-1: USB disconnect, device number 2 [ 60.814523][ T17] asix 1-1:0.0 eth1: unregister 'asix' usb-dummy_hcd.0-1, ASIX AX88172A USB 2.0 Ethernet [ 60.892923][ T17] ================================================================== [ 60.901175][ T17] BUG: KASAN: use-after-free in ax88172a_unbind+0x76/0xe7 [ 60.908273][ T17] Read of size 8 at addr ffff888095104e80 by task kworker/1:0/17 [ 60.915965][ T17] [ 60.918279][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 5.7.0-syzkaller #0 [ 60.926073][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.936120][ T17] Workqueue: usb_hub_wq hub_event [ 60.941121][ T17] Call Trace: [ 60.944414][ T17] dump_stack+0x188/0x20d [ 60.948756][ T17] ? ax88172a_unbind+0x76/0xe7 [ 60.953516][ T17] ? ax88172a_unbind+0x76/0xe7 [ 60.958266][ T17] print_address_description.constprop.0.cold+0xd3/0x413 [ 60.965271][ T17] ? usbnet_disconnect+0xf0/0x270 [ 60.970281][ T17] ? vprintk_func+0x97/0x1a6 [ 60.974858][ T17] ? ax88172a_unbind+0x76/0xe7 [ 60.979605][ T17] kasan_report.cold+0x1f/0x37 [ 60.984355][ T17] ? ax88172a_unbind+0x76/0xe7 [ 60.989103][ T17] ? ax88172a_reset.cold+0x131/0x131 [ 60.994389][ T17] ax88172a_unbind+0x76/0xe7 [ 60.998980][ T17] usbnet_disconnect+0x145/0x270 [ 61.003923][ T17] usb_unbind_interface+0x1bd/0x8a0 [ 61.009111][ T17] ? __pm_runtime_idle+0xd1/0x320 [ 61.014118][ T17] ? usb_autoresume_device+0x60/0x60 [ 61.019390][ T17] device_release_driver_internal+0x432/0x500 [ 61.025442][ T17] bus_remove_device+0x2dc/0x4a0 [ 61.030366][ T17] device_del+0x481/0xd30 [ 61.034684][ T17] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 61.040646][ T17] ? device_link_remove+0x110/0x110 [ 61.045827][ T17] ? remove_intf_ep_devs+0x13f/0x1d0 [ 61.051098][ T17] usb_disable_device+0x211/0x690 [ 61.056110][ T17] usb_disconnect+0x284/0x8d0 [ 61.060774][ T17] hub_event+0x17ca/0x38f0 [ 61.065193][ T17] ? hub_port_debounce+0x260/0x260 [ 61.070293][ T17] ? __queue_work+0x730/0x1280 [ 61.075048][ T17] ? debug_smp_processor_id+0x2f/0x185 [ 61.080495][ T17] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 61.086045][ T17] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 61.092014][ T17] process_one_work+0x965/0x16a0 [ 61.096941][ T17] ? lock_release+0x800/0x800 [ 61.101618][ T17] ? pwq_dec_nr_in_flight+0x310/0x310 [ 61.106992][ T17] ? rwlock_bug.part.0+0x90/0x90 [ 61.111921][ T17] worker_thread+0x96/0xe20 [ 61.116416][ T17] ? process_one_work+0x16a0/0x16a0 [ 61.121598][ T17] kthread+0x388/0x470 [ 61.125652][ T17] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.131355][ T17] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.137059][ T17] ret_from_fork+0x24/0x30 [ 61.141462][ T17] [ 61.143774][ T17] Allocated by task 17: [ 61.147915][ T17] save_stack+0x1b/0x40 [ 61.152052][ T17] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 61.157666][ T17] kmem_cache_alloc_trace+0x153/0x7d0 [ 61.163021][ T17] ax88172a_bind+0xa3/0x751 [ 61.167506][ T17] usbnet_probe+0xb36/0x2600 [ 61.172077][ T17] usb_probe_interface+0x305/0x7a0 [ 61.177198][ T17] really_probe+0x281/0x6d0 [ 61.181683][ T17] driver_probe_device+0x104/0x210 [ 61.186779][ T17] __device_attach_driver+0x1c2/0x220 [ 61.192130][ T17] bus_for_each_drv+0x162/0x1e0 [ 61.196960][ T17] __device_attach+0x21a/0x360 [ 61.201703][ T17] bus_probe_device+0x1e4/0x290 [ 61.206530][ T17] device_add+0x132d/0x1c10 [ 61.211017][ T17] usb_set_configuration+0xec5/0x1740 [ 61.216371][ T17] usb_generic_driver_probe+0x9d/0xe0 [ 61.221723][ T17] usb_probe_device+0xc6/0x1f0 [ 61.226491][ T17] really_probe+0x281/0x6d0 [ 61.230975][ T17] driver_probe_device+0x104/0x210 [ 61.236084][ T17] __device_attach_driver+0x1c2/0x220 [ 61.241438][ T17] bus_for_each_drv+0x162/0x1e0 [ 61.246287][ T17] __device_attach+0x21a/0x360 [ 61.251035][ T17] bus_probe_device+0x1e4/0x290 [ 61.255885][ T17] device_add+0x132d/0x1c10 [ 61.260368][ T17] usb_new_device.cold+0x753/0x103d [ 61.265546][ T17] hub_event+0x1eca/0x38f0 [ 61.269946][ T17] process_one_work+0x965/0x16a0 [ 61.274861][ T17] worker_thread+0x96/0xe20 [ 61.279345][ T17] kthread+0x388/0x470 [ 61.283393][ T17] ret_from_fork+0x24/0x30 [ 61.287784][ T17] [ 61.290093][ T17] Freed by task 17: [ 61.293885][ T17] save_stack+0x1b/0x40 [ 61.298020][ T17] __kasan_slab_free+0xf7/0x140 [ 61.302866][ T17] kfree+0x109/0x2b0 [ 61.306742][ T17] ax88172a_bind.cold+0xad/0x1df [ 61.311677][ T17] usbnet_probe+0xb36/0x2600 [ 61.316249][ T17] usb_probe_interface+0x305/0x7a0 [ 61.321360][ T17] really_probe+0x281/0x6d0 [ 61.325860][ T17] driver_probe_device+0x104/0x210 [ 61.330953][ T17] __device_attach_driver+0x1c2/0x220 [ 61.336304][ T17] bus_for_each_drv+0x162/0x1e0 [ 61.341153][ T17] __device_attach+0x21a/0x360 [ 61.345900][ T17] bus_probe_device+0x1e4/0x290 [ 61.350747][ T17] device_add+0x132d/0x1c10 [ 61.355238][ T17] usb_set_configuration+0xec5/0x1740 [ 61.360590][ T17] usb_generic_driver_probe+0x9d/0xe0 [ 61.365943][ T17] usb_probe_device+0xc6/0x1f0 [ 61.370688][ T17] really_probe+0x281/0x6d0 [ 61.375205][ T17] driver_probe_device+0x104/0x210 [ 61.380433][ T17] __device_attach_driver+0x1c2/0x220 [ 61.385810][ T17] bus_for_each_drv+0x162/0x1e0 [ 61.390666][ T17] __device_attach+0x21a/0x360 [ 61.395424][ T17] bus_probe_device+0x1e4/0x290 [ 61.400253][ T17] device_add+0x132d/0x1c10 [ 61.404738][ T17] usb_new_device.cold+0x753/0x103d [ 61.409916][ T17] hub_event+0x1eca/0x38f0 [ 61.414313][ T17] process_one_work+0x965/0x16a0 [ 61.419230][ T17] worker_thread+0x96/0xe20 [ 61.423714][ T17] kthread+0x388/0x470 [ 61.427784][ T17] ret_from_fork+0x24/0x30 [ 61.432177][ T17] [ 61.434530][ T17] The buggy address belongs to the object at ffff888095104e80 [ 61.434530][ T17] which belongs to the cache kmalloc-64 of size 64 [ 61.448412][ T17] The buggy address is located 0 bytes inside of [ 61.448412][ T17] 64-byte region [ffff888095104e80, ffff888095104ec0) [ 61.461401][ T17] The buggy address belongs to the page: [ 61.467022][ T17] page:ffffea0002544100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 61.476108][ T17] flags: 0xfffe0000000200(slab) [ 61.480961][ T17] raw: 00fffe0000000200 ffffea00027f05c8 ffffea0002a10dc8 ffff8880aa000380 [ 61.489528][ T17] raw: 0000000000000000 ffff888095104000 0000000100000020 0000000000000000 [ 61.498098][ T17] page dumped because: kasan: bad access detected [ 61.504486][ T17] [ 61.506795][ T17] Memory state around the buggy address: [ 61.512424][ T17] ffff888095104d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 61.520477][ T17] ffff888095104e00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 61.528523][ T17] >ffff888095104e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 61.536562][ T17] ^ [ 61.540610][ T17] ffff888095104f00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 61.548803][ T17] ffff888095104f80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 61.556882][ T17] ================================================================== [ 61.564944][ T17] Disabling lock debugging due to kernel taint [ 61.572938][ T17] Kernel panic - not syncing: panic_on_warn set ... [ 61.579557][ T17] CPU: 1 PID: 17 Comm: kworker/1:0 Tainted: G B 5.7.0-syzkaller #0 [ 61.588745][ T17] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.598811][ T17] Workqueue: usb_hub_wq hub_event [ 61.603832][ T17] Call Trace: [ 61.607121][ T17] dump_stack+0x188/0x20d [ 61.611478][ T17] ? ax88172a_reset.cold+0x117/0x131 [ 61.616971][ T17] panic+0x2e3/0x75c [ 61.620849][ T17] ? add_taint.cold+0x16/0x16 [ 61.625546][ T17] ? preempt_schedule_common+0x5e/0xc0 [ 61.630992][ T17] ? ax88172a_unbind+0x76/0xe7 [ 61.635737][ T17] ? ax88172a_unbind+0x76/0xe7 [ 61.640494][ T17] ? preempt_schedule_thunk+0x16/0x18 [ 61.645855][ T17] ? trace_hardirqs_on+0x55/0x230 [ 61.650858][ T17] ? ax88172a_unbind+0x76/0xe7 [ 61.655596][ T17] ? ax88172a_unbind+0x76/0xe7 [ 61.660336][ T17] end_report+0x4d/0x53 [ 61.664466][ T17] kasan_report.cold+0xd/0x37 [ 61.669139][ T17] ? ax88172a_unbind+0x76/0xe7 [ 61.673896][ T17] ? ax88172a_reset.cold+0x131/0x131 [ 61.679153][ T17] ax88172a_unbind+0x76/0xe7 [ 61.683724][ T17] usbnet_disconnect+0x145/0x270 [ 61.688663][ T17] usb_unbind_interface+0x1bd/0x8a0 [ 61.693839][ T17] ? __pm_runtime_idle+0xd1/0x320 [ 61.698842][ T17] ? usb_autoresume_device+0x60/0x60 [ 61.704123][ T17] device_release_driver_internal+0x432/0x500 [ 61.710182][ T17] bus_remove_device+0x2dc/0x4a0 [ 61.715109][ T17] device_del+0x481/0xd30 [ 61.719437][ T17] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 61.725401][ T17] ? device_link_remove+0x110/0x110 [ 61.730571][ T17] ? remove_intf_ep_devs+0x13f/0x1d0 [ 61.735830][ T17] usb_disable_device+0x211/0x690 [ 61.740947][ T17] usb_disconnect+0x284/0x8d0 [ 61.745601][ T17] hub_event+0x17ca/0x38f0 [ 61.750016][ T17] ? hub_port_debounce+0x260/0x260 [ 61.755103][ T17] ? __queue_work+0x730/0x1280 [ 61.759846][ T17] ? debug_smp_processor_id+0x2f/0x185 [ 61.765283][ T17] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 61.770806][ T17] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 61.776764][ T17] process_one_work+0x965/0x16a0 [ 61.781680][ T17] ? lock_release+0x800/0x800 [ 61.786334][ T17] ? pwq_dec_nr_in_flight+0x310/0x310 [ 61.791702][ T17] ? rwlock_bug.part.0+0x90/0x90 [ 61.796642][ T17] worker_thread+0x96/0xe20 [ 61.801138][ T17] ? process_one_work+0x16a0/0x16a0 [ 61.806312][ T17] kthread+0x388/0x470 [ 61.810371][ T17] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.816066][ T17] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.821775][ T17] ret_from_fork+0x24/0x30 [ 61.827437][ T17] Kernel Offset: disabled [ 61.831754][ T17] Rebooting in 86400 seconds..